Although this does not comply with the spec, it is likely Java method names
will be used in the annotations. Since it is not possible to validate, this
would be an error that is invisible for the user.

Validate the usage of security role names in the web application
deployment descriptor. If any problems are found, issue warning
messages (for backwards compatibility) and add the missing roles.
(To make these problems fatal instead, simply set the ok
instance variable to false as well).